Microsoft addressed 13 vulnerabilities dealing with Remote Desktop Protocol, Internet Explorer and more in April's...
Patch Tuesday update.
On Internet Explorer (IE), there are two critical patches that should be applied immediately on workstations and servers. The patch deals with a remote code execution vulnerability and affects all versions of IE, including IE 10 on Windows 8 and Windows RT.
Patches for the flaws discovered at the Pwn2Own hacking contest held last month, however, are absent in the cumulative IE update.
"I would expect them to come out within a month," said Wolfgang Kandek, CTO at Qualys, an IT security firm based in Redwood Shores, Calif. He said Microsoft does not need to fast-track or rush an update out before testing because the vulnerabilities exposed at the contest aren't publicly disclosed.
Remote Desktop Protocol (RDP) also received critical fixes that could allow someone to remotely execute code through a specially crafted website. This patch also touches IE -- the RDP client vulnerability has to do with the ActiveX component.
Administrators could disable the ActiveX control if an enterprise's users don't need it, said Amol Sarwate, director of Qualys' vulnerability labs.
There is an Active Directory flaw fixed in another bulletin, rated important, which could lead to a denial of service attack on the server. An attacker could use a specially crafted request to the Lightweight Directory Access Protocol service.
The threat is somewhat minimized because an attack using this exploit would need credentials in order to function, Sarwate said. The patch affects multiple versions of Windows Server 2012 and earlier versions.
SharePoint 2013 received a patch, which fixes an issue where an attacker with the specific location of a list could gain access without permission.
Microsoft also delivered a fix for a Windows Defender vulnerability, which could allow an attacker to gain access to a system and elevate privileges. The patch is only needed on Windows 8 and Windows RT systems; earlier versions aren't affected.
The full list of bulletins can be found on Microsoft's website.